The UK’s effort to alleviate IoT security issues reduces the associated hardware risks. Hardware-based attacks involve the perpetrator gaining some form of physical access to the organization. IoTs provide such access – and make it more attainable.
In late 2021, the British government introduced the Product Security and Telecommunications Infrastructure Bill (Product Security and Telecommunications Infrastructure Act 2022). The legislation attempts to improve the security of Internet of Things (IoT) devices and other connected devices. There are around 30 billion IoTs and smart devices in use globally, with the number only growing. However, there are major IoT security vulnerabilities, represented by the 100% increase in IoT breaches in just the first half of 2021. To change this, the bill seeks to apply security requirements on all manufacturers, importers and distributors.
IoT in 1, 2, 3
Within 12 months, all manufacturers, importers and distributors of IoTs and smart devices are required to meet the following cybersecurity standards:
|Ban on universal default passwords||Manufactures can no longer use universal, default passwords such as “password”, “admin” or “user”. These passwords are easy to guess and ger exploited by bad actors who take over the device. “Basic cyber hygiene, such as changing default passwords, can go a long way to improving the security for these types of devices”, says Rodolphe Harand, managing director at YesWeHack.|
|Simplified vulnerability reporting||Manufactures are to provide a public point of contact for vulnerability reporting. Doing so will make vulnerability reporting easier for researchers, who often discover security flaws. The efficiency of vulnerability reporting is key to ensuring that the bug gets patched before getting exploited by bad actors. Currently, only 1 in 5 manufactures maintain systems for disclosing security vulnerabilities.|
|Transparency into security updates||Customers must be informed, at the point of sale, about the length of time their device(s) will receive security updates. Research by University College London found that out of 270 products tested, none displayed this information at point of sale or in any accompanying paperwork. As a result, buyers were unaware of when their devices lacked the most recent security features.|
Failure to comply will result in a fine of up to £10 million or 4% of the organization’s global turnover. In the case of ongoing incidents, companies will get fined up to £20,000 per day.
The protection you need
IoTs expand the attack surface, as each device acts as an entry point to the organization. The connectedness of smart devices means they enable deeper network infiltration through lateral movement. And with a lack of sufficient protection, IoTs are often used for such purposes as attackers compromise devices with the lowest security standards when attempting to breach their target. Unsuspecting devices, such as smart printers and smart coffee machines, also provide network access. Despite such devices often receiving even less protection than more critical IoTs as they do not get deemed a security risk.
The mobility of many IoTs increases their accessibility as they get used in unsecure environments. Remote usage also broadens the attack surface beyond traditional boundaries. Bad actors can gain physical access to IoTs more easily in public settings than in secured workplaces. Physical layer security restrictions imposed by most organizations make it challenging (although not impossible) for malicious actors to walk into the office building and attach a Rogue Device to an IoT. Public spaces, however, have nearly no access controls. And, through simple social engineering techniques, cybercriminals can have employees unwittingly attach a Rogue Device to their IoT.
The shift to teleworking means smart home devices also pose a risk to the organization, contributing to the growing attack surface. Employees working from home almost always connect their work device(s) to the same network as their smart devices. Allowing the latter to get used to compromise the former. And, with there being an average of 9 smart devices in every home in the UK, attackers have plenty of opportunities to exploit smart home devices with hardware attack tools. In fact, research by Which? found that smart home devices got targeted more than 12,000 times in just one week.
Consumers are unaware IoT Security Issues
However, consumers are unaware of IoT risks and assume that the device is safe, with many turning to cheaper options in a bid to save money. Doing so, however, only exacerbates the risk as the inexpensive devices are even less secure. Julia Lopez, UK Minister for Media, Data and Digital Infrastructure, highlights the problem, saying, “most of us assume if a product is for sale, it’s safe and secure. Yet many are not”.
Ultimately, while the UK’s Product Security and Telecommunications Infrastructure Bill won’t eradicate all risks associated with IoT and smart devices, it definitely serves to minimize them and addresses the importance of prioritizing IoT security. In doing so, the legislation also reduces hardware-based risks that threaten IoTs and smart devices.
IoTs and smart devices are not going anywhere. So it is paramount that both the public and private sectors continuously work to improve the security of such devices. Legislation can only do so much, and cybersecurity will always require a holistic approach. Risk awareness is of vital importance, as is the implementation of various security solutions to provide extra layers of protection.